PPraxCRM

Security & reliability

Security that respects
your team — and your data.

We don't bolt security onto Prax CRM as a premium upsell. Access control, audit trails and encryption are defaults on every plan.

🔒

Encrypted in transit & at rest

TLS 1.2+ for every request. All records encrypted at rest with AES-256 on managed infrastructure.

🛡

Role-based access

Three tiers — admin, employee, customer — plus designation-level permissions and per-user overrides.

Feature gates

Toggle entire tabs, or just the Add/Edit/Delete buttons inside them. No more "let me get someone who has access".

📜

Audit trail

Every create, edit and delete written to an immutable log. Who, what, when — across every record type.

🔑

Session control

See every active login by user and device. Revoke any session instantly from the admin panel.

Frozen snapshots

Payslips and invoices freeze their context at creation — your historical records stay correct forever, even as master data changes.

Data export, anytime

Every table is exportable to CSV or JSON from the admin panel. Your data is yours — including the schema for it.

Hardened dependencies

We ship on Next.js + Convex — two of the most actively maintained stacks in production. Automated security patching, every week.

Principle of least privilege

Default permissions are restrictive. Admins grant, not deny — so nobody gets access they didn't ask for.

Compliance

Where we are on the compliance map.

We're new and we're transparent about it. Here's what's done, what's in progress, and what we'll commit to as you grow with us.

SOC 2

Type II audit targeted for Q3

GDPR

Data processing addendum available

Data residency

Region selection on Enterprise plans

99.9% uptime

SLA-backed on Enterprise

Frequently asked security questions

Where is my data physically stored?+
On Convex's managed infrastructure. Enterprise plans can specify a region (US, EU, or APAC). Default is US.
Can you see my data?+
Only for diagnostics when you explicitly request help — and we log every access. Engineering data access is role-restricted and audited.
What happens if I cancel?+
Your data is retained read-only for 30 days. Export anytime during that window. After 30 days we delete it completely and send you a deletion attestation.
Do you support SSO?+
SAML and Google Workspace SSO on the Enterprise plan. OIDC coming in 2026.
How are passwords stored?+
PBKDF2 with per-user salts. Never in plaintext, never reversible. Admins cannot see passwords — only reset them.
Can I sign a DPA?+
Yes. We have a standard DPA available on request for any paid customer, and a custom DPA for Enterprise.

Need a security review before committing?

We're happy to walk your team through it. No sales pressure.

Talk to us